[nanbield,03/21] zlib: ignore CVE-2023-6992

Message ID	7523c7b3609220b4dfc2bb0a83c552db60e1dc7e.1708012696.git.steve@sakoman.com
State	Accepted
Delegated to:	Steve Sakoman
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.214.174, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][nanbield 03/21] zlib: ignore CVE-2023-6992 Date: Thu, 15 Feb 2024 06:17:46 -1000 Message-Id: <7523c7b3609220b4dfc2bb0a83c552db60e1dc7e.1708012696.git.steve@sakoman.com> In-Reply-To: <cover.1708012696.git.steve@sakoman.com> References: <cover.1708012696.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[nanbield,01/21] tiff: fix CVE-2023-6228 \| expand [nanbield,01/21] tiff: fix CVE-2023-6228 [nanbield,02/21] tiff: fix CVE-2023-52355 and CVE-2023-52356 [nanbield,03/21] zlib: ignore CVE-2023-6992 [nanbield,04/21] libssh2: backport fix for CVE-2023-48795 [nanbield,05/21] gcc: Update status of CVE-2023-4039 [nanbield,06/21] cve_check: handle CVE_STATUS being set to the empty string [nanbield,07/21] cve_check: cleanup logging [nanbield,08/21] gtk: Set CVE_PRODUCT [nanbield,09/21] glibc: stable 2.38 branch updates [nanbield,10/21] linux-firmware: upgrade 20231030 -> 20231211 [nanbield,11/21] xserver-xorg: 21.1.9 -> 21.1.11 [nanbield,12/21] at-spi2-core: upgrade 2.50.0 -> 2.50.1 [nanbield,13/21] cpio: upgrade 2.14 -> 2.15 [nanbield,14/21] gstreamer: upgrade 1.22.8 -> 1.22.9 [nanbield,15/21] allarch: Fix allarch corner case [nanbield,16/21] reproducible: Fix race with externalsrc/devtool over lockfile [nanbield,17/21] externalsrc: fix task dependency for do_populate_lic [nanbield,18/21] udev-extraconf: fix unmount directories containing octal-escaped chars [nanbield,19/21] pseudo: Update to pull in gcc14 fix and missing statvfs64 intercept [nanbield,20/21] overlayfs: add missing closing parenthesis in selftest [nanbield,21/21] multilib_global.bbclass: fix parsing error with no kernel module split

Message ID

7523c7b3609220b4dfc2bb0a83c552db60e1dc7e.1708012696.git.steve@sakoman.com

State

Accepted

Delegated to:

Steve Sakoman

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][nanbield 03/21] zlib: ignore CVE-2023-6992
Date: Thu, 15 Feb 2024 06:17:46 -1000
Message-Id: 
 <7523c7b3609220b4dfc2bb0a83c552db60e1dc7e.1708012696.git.steve@sakoman.com>
In-Reply-To: <cover.1708012696.git.steve@sakoman.com>
References: <cover.1708012696.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[nanbield,01/21] tiff: fix CVE-2023-6228 | expand

Commit Message

Steve Sakoman Feb. 15, 2024, 4:17 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

This CVE is for iCPE cloudflare:zlib.

Alternative to ignoring would be to limit CVE_PRODUCT, but
historic CVEs already have two - gnu:zlib and zlib:zlib.
So limiting it could miss future CVEs.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 9f953a1cd832f03f0b3666168addf45fd4fc8d14)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/recipes-core/zlib/zlib_1.3.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-core/zlib/zlib_1.3.bb b/meta/recipes-core/zlib/zlib_1.3.bb
index 1ed18172fa..ede75f90bd 100644
--- a/meta/recipes-core/zlib/zlib_1.3.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.bb
@@ -47,3 +47,4 @@  do_install_ptest() {
 BBCLASSEXTEND = "native nativesdk"
 
 CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
+CVE_STATUS[CVE-2023-6992] = "cpe-incorrect: this CVE is for cloudflare zlib"

[nanbield,03/21] zlib: ignore CVE-2023-6992

Commit Message

Patch